Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "TEES is reporting that Dr Laszlo Kish, an associate professor at Texas A&M, has proposed a 'classical, not quantum, encryption scheme that relies on classical physical properties -- current and voltage. He said his scheme is absolutely secure, fast, robust, inexpensive and maintenance-free and relies on simultaneous encrypting of information by both the sender and the receiver.' The scheme uses properties similar to Johnson noise along with Kirchoff's Law to provide what he hopes to be an easier method of secure communications. Arxiv also has the full text [PDF Warning] of the paper."

As I understand it, quantum cryptography is only used as a method of key distribution, which then put into a "normal" cryptosystem like AES. The supposed advantage over asymmetric public-key distribution is that it can't be broken by a quantum computer. However, it is still vulnerable to man-in-the-middle attacks, and encryption is worthless without authentication — so why consider quantum cryptography in the first place?

In Quantum Cryptography, traditional man-in-the-middle attacks are impossible due to Heisenberg's uncertainty principle. If Mallory attempts to intercept the stream of photons, he will inevitably alter them if he uses an incorrect detector. He cannot re-emit the photons to Bob correctly, which will introduce unacceptable levels of error into the communication.

If Alice and Bob are using an entangled photon system, then it is virtually impossible to

It works if Mallory pretends to be Bob to Alice, and Alice to Bob. He can simply decrypt and re-encrypt, forwarding the packets between them. Both parties need to be sure of who is on the other end of the line, and in a practical system it may not be possible to check many kilometres of fibre for tampering.

Quantum Encryption is p2p. Which means when Bob and Alice trade IP addresses, Mallory would need to convince Bob that her IP is Alice, and Alice that her IP is Bob, which is tough. I mean, if you're trading sensitive info, you ought to be able to have each other's IPs.

Yes, but without overlay network. Quantum cryptography works only for directly connected hosts, so it is basically useless except in some very special scenarios. I think the only reason quantum crypto (and that should be properly 'quantum modulation' or the like) as well as quantum computation is so popular today is because it captivates peoples imagination. Since quantum crypto is really just key excahnge, you could allways replace it with pre-comottated random keys in the neighb

People no longer understand p2p as "point to point", but rather "peer to peer". Point2Point cannot use significant IP addresses, but Peer2Peer must use them (or something similar).

Which means when Bob and Alice trade IP addresses,

I hope you meant "IP address" in some metaphorical way. There is no way QC can be applied to operate over an internet with real IP address. IP requires routing, and routing means packet-forwarding, but QC depends on an photonic signals that are irreproducible, and thus unroutable.

you ought to be able to have each other's IPs

Do you know the IPs of every mail-order vendor from which you might wish to order?

What you're doing is repeating the usual QC-request to have the initial exchange of recognition data left off of the vulnerability analysis, because it is in fact susceptible to every kind of man-in-the-middle assault.

"James Bond may use the fanciest, most expensive and high-tech devices to thwart would-be eavesdroppers, but in a pinch, the super-spy can use one Texas A&M engineer's simple, low-cost scheme to keep data secure from the bad guys."

This is the first sentence from the article. I'm sorry, but I cannot take anything in that article seriously. On another note the guy has an interestingly hungarian sounding name.

ummmmm.... "James Bond may use the fanciest, most expensive and high-tech devices to thwart would-be eavesdroppers"

Are you talking about pistol? I know it is probably the most effective technology against the weakest link in any security applications. Not sure about whether the Texas A&M guy can come up with something simpler:)

Read the academic paper (letter) not the announcement on A&M's site. The announcement is most likely not written by the good professor himself. The paper on the other hand, although it is a first draft and in the form of letter appears well written and substantiated.
And a professor of EE in Texas A&M is a good enough title to provide credibility, I mean come on dude, we read hundreds of bogus articles on slashdot posted by ignorant journalists or wannabe patent owners and you raise an issue of cred

The announcement is most likely not written by the good professor himself.

You're correct; the article was written by an employee of the communications department of the TAMU engineering program. The article was written for the "general public" audience. Also, the reporter him/herself is unlikely familiar with secure communication and quantum cryptography principles. The professor was interviewed by the reporter. He likely, either by choice or necessity, had to describe his paper in a context outside the

Then why don't you read the paper [opensubscriber.com], referred to from the article?

There probably are a hell lot of people like me out there; I personally have a lot of difficulties reading pure-technical texts... my mind gets distracted and I don't remember the things I read. When a text is written a bit more lively way, it helps me stay focussed on the article and everyone's happy...

The only way an eavesdropper can determine which resistance is being used at which end is to inject current into the communication channel and measure the voltage and current changes in different directions. Doing this, though, exposes the eavesdropper, who is discovered with the very first bit of information extracted.

But the circuit will get current induced in it from other sources anyway, adjacent phone lines, power lines, etc. How do the two ends of the link distinguish between accidental ind

Also, you can measure it at both ends of the line, and then from the phase of the changes deduce which side made which changes.

I thought I had heard a similar claim long ago about modem signals (at least, with newer modulations, not the ones with discrete tones for each direction) - the modem on each end can understand the other side only by subtracting out its own signal (which, of course, it knows) - an eavesdropper listening in wouldn't be able to separate them out.

This sounds very good in theory, but it may be difficult to implement securely.

For example, he claims an eavesdropper could inject current to measure voltage drops, but would be discovered on the first attempt. If the eavesdropped can send a pulse of current that is so small as to not be registered on the endpoint equipment (which say samples the line at 1X sampling rate), but the attacker is injecting and sampling at a rate 100X faster, the attacker's pulse will be so far above the nyquist bandwidth of the endpoints that they will never see it.

I admit I only read the abstract, he may address this later on in the paper.

I'm not sure if this is at all relevant, but Lineman's phones (imagine your old school corded phone, but instead of the cord it has two alligator clips) has a 9v battery inside it so that when they clip onto the line from the phone box, there's no voltage drop.

as an owner of 2 butt sets (lineman's phones) I can say that this isn't always true. My old western electric rotary one is batteryless. It is still handy for just that reason (and yes, I can still dial out with it on POTS service). My newer Chesilvale needs a 9v battery to work, but it also has a speakerphone in it and more features. I don't believe the battery is there to prevent detection (eliminating voltage drops).

The is more to a butt set than it being a corded phone with alligator clips. It ha

I'll confess my understanding of this is sketchy at this point. But as I read it the concept is this one has a wire connecting two resistors. The Johnson noise in the wire is determined jointly by the resistors. Both sides, sender and receiver are changing the resistance values simultaneously with the sender putting in the message and the receiver putting in random crap which gets added to the signal. A person monitoring the voltage in the middle can't tell what fraction of the noise came from which side. Therefore the message can't be extracted. Clever. Oddly it's a lot like the bell's theorem experiment in QM where both sides are changing their filters.

What seems to be the flaw in this is that he assumes that the attacker must inject current unidirectionally to determine which resistance is at which end. Perhaps another means exists, courtesy of the speed of light.

Namely if you monitor the voltage at two points along the wire then you can distinguish between a wave proapgating from left to right and right to left. So you can now determine what fraction of the noise is coming from the left and what is coming from the right. Even if the noise level made his hard to do, there's also the moment of the resistor switch to capture. Each time the resistor is changed, even if it were perfectly synchronous, the left side's noise will reach the left tap sooner he the right tap.

This last effect could possibly be masked by injecting large amounts of noise into the system during the switch. (but of course this would also mask any current injection by the attacker as well). But the former effect of the noise signals propagation might still be detectable.

Namely if you monitor the voltage at two points along the wire then you can distinguish between a wave proapgating from left to right and right to left. So you can now determine what fraction of the noise is coming from the left and what is coming from the right. Even if the noise level made his hard to do, there's also the moment of the resistor switch to capture. Each time the resistor is changed, even if it were perfectly synchronous, the left side's noise will reach the left tap sooner he the right tap.

This article (uses the words 'proposed' and 'absolutely secure' in the same paragraph. You can't trust such a claim about a proposed system until it's been implemented, distributed, deployed, and pounded on for years by cryptanalysists.

How would cryptanalysists be helpful here? You did read the article, right? About a way of making it impossible to tap communications without it being detectable immediately at the endpoints? Since the topic of the article has nothing do with encryption, I fail to see how having crypanalysists "pound" on it for years will help expose any problems...

Do either of you realize that the entire point of publishing in an academic journal is to allow for other experts to review the research and either pound away at it or build on it?
This is a new discovery. It will take time for the reasearch to find all of the implications and work everything out. This is just the first paper on the topic. If the research is promissing, other people will extend or critique this work going foward.

*Disclaimer* I have no expertise whatsoever in the field but I'm very skeptical of what is being claimed.

The only way an eavesdropper can determine which resistance is being used at which end is to inject current into the communication channel and measure the voltage and current changes in different directions. Doing this, though, exposes the eavesdropper, who is discovered with the very first bit of information extracted.

But what if the eavesdropper was present from the very beginning, how will they be

Given this, if the sender and receiver consistently share the values they measure for the current at each step, over a public channel, they give away no information, but if there is an eavesdropper, they discover him/her immediately.

Ah. So if the sender and receiver and receiver already have a reliable method of communication, they can use that to prevent eavesdropping on this new channel.

Now, how do they get this reliable method of communication to check current measurements with each other, that is

There is no such thing as what this guy is claiming to have created. Every so often someone pulls something like this out of their arse and starts making all kinds of fantastic claims that are quickly accepted as true by the uninformed.There is no such thing as a perpetual motion machine, an honest politician, or perfect encryption. All three exist in theory, but never in reality.

It may be that this new scheme does represent a method of encryptions that is on-par with the best existing methods, or perhaps

There is no such thing as a perpetual motion machine, an honest politician, or perfect encryption. All three exist in theory, but never in reality.

Well, let's see. The perpetual motion machine doesn't exist, in theory, because the laws of thermodynamics and whatnot essentially rule it out. Of course, it may exist in somebody's theory, but their theory would be at odds with actual, working theories that correspond with reality.

You're closer to the mark when it comes to the honest politicians. I think t

Nope! Read the article you linked to. Carnot's theorm indicates that no engine operating between to heat resevoirs can be more efficient than his... but that doesn't mean there's no loss in the system. On the face of it, such a thing would require no gravity present, no friction in the system, literally perfect heat trapping, etc. The theories are that those things are impossible, and so with the Carnot engine, we're talking ab

"The only way an eavesdropper can determine which resistance is being used at which end is to inject current into the communication channel and measure the voltage and current changes in different directions."

How about recording the signal after it has been transmitted through some output at the other end? This bugging would not interfere with the signal being transmitted but would still record the information for transmittal later? If you are transmitting the information through a computer, I think s

What happens if a thermal fluctuation in the wire causes the loss? How can we tell this from an eavesdropper? To make this work surely the tolerances of all components need to be 0%. Nobody has ever made a 0% tolerance resistor, its a purely theoretical component. Which makes me wonder if this has actually been tested in the lab. Perhaps I'm missing something?

First, Cryptography is hard. Even professional cryptographers with decades of experience still get it wrong -- often. Considering as this guy has essentially no previous experience (he's an EE professor), it's already near certain that he's dead wrong.

Second, he doesn't provide "absolutely secure" communications. He provides non-interceptable communications. He's totally ignoring authentication, non-repudiation, man-in-the-middle attacks, and half a dozen other very important problems. (It's also not a cipher, but we'll ignore that slip.)

He also assumes (from the abstract) that an eavesdropper can only eavesdrop by injecting current into the wire, which is blatantly false. One could easily tap the magnetic field generated by current in the wire, without drawing very much power from the wire at all.

And to top it all off, he's depending on the precise values of voltage and current, which means this is an analog system. Analog systems are notoriously difficult to build precisely -- which is why we're using digital everywhere.

This is such bad research that I can't wait until Bruce Schneier [schneier.com] get ahold of this.

It is. On the other hand, since crytography has nothing to do with the problem he's working on, this is an irrelevant observation.

He's totally ignoring authentication, non-repudiation, man-in-the-middle attacks, and half a dozen other very important problems.

Yup. He's also ignoring global warming, terrorism in Israel, and numerous other very real problems that are nevertheless irrelevant to the problem at hand. You appear to have misunderstood what problem he's attempting

First, Cryptography is hard. Even professional cryptographers with decades of experience still get it wrong -- often. Considering as this guy has essentially no previous experience (he's an EE professor), it's already near certain that he's dead wrong.

He is doing cryptography in the quantum cryptography sense--a secure, non-interceptable channel--not in the algorithmic cryptography sense. He is well-qualified to talk about the kinds of systems he is talking about.

How precise does this system have to be in order to detect the current loss due to an inductive tap? That has to be REALLY low. You'd probably get errors due to random EM all the time if you're depending on your signal quality being that perfect.

Quantum communications has similar problems - that is the polarized photons one[cf. wikipedia:quantum encryption]; It is quite possible to eavesdrop on a quantum channel if the sender has to send with high redundancy in order to overcome signal loss; Of course you will invest work into having low signal loss in order to increase security, but you could do similar stuff with normal electric currents.

Dr. Laszlo Kish's scheme seems to be about having the receiver introducing a random stream which makes it har

IT seems to me that they are assuming perfect channels which don't introduce random noise ?

FTFA: The way the eavesdropper gets discovered is that both the sender and the receiver are continuously measuring the current and comparing the data," Kish said. "If the current values are different at the two sides, that means that the eavesdropper has broken the code of a single bit. Thus the communication has to be terminated immediately."

And it also assumes that measureing equipments themselves are calibera

Well, except it's hard to dupe a electrical random noise generator, harder than duping a CD at any rate.

Most electrical noise generators rely on chaotic physical events, like the noise in a Zenner diode. Even if you build two completely identical nois generator circuits, their outputs will never be the same.

Well, in that case "security by obscurity" would not be a bad thing, but a rather meaningless term describing all imaginable security systems. =) If that's what you believe you just need to learn what the expression actually refers to:"In cryptography and computer security, security through obscurity (sometimes security by obscurity) is to some a controversial principle in security engineering, which attempts to use secrecy (of design, implementation, etc.) to ensure security. A system relying on security t

---For example, if somebody stores a spare key under the doormat in case they are locked out of the house, then they are relying on security through obscurity."

I understand what is traditionally means, but what difference does it make if it's 1 doormat or 10^10 of them? You're still relying on secrecy and obfusication to get people who you want to have permission to get it, and keep out all others.

The best security exists in a world where nobody understands how it works or knows it exists. Taking that into account tomorrow's secure technology is secure with the knowledge and tools we have today, but may not be so ten years after the secure technology is in the wild.The best you can hope for is being a few steps ahead of the people who want to take advantage of your provide data. This is not to say that working on security improvements is worthless, rather that you will always have to work on better t

Good luck trying to break one time pad. Even 300 years from now. You'll also need god luck while trying to break RSA with a big enogh key if we don't make a quantum computer. Oh, I almost forgot, good luck trying to break the current used symetric criptography systems, even 30 yeas from now.

The brest seurity is not the one done with the newest technology. The best security is the one with the toghest weak link. But if you are only taking the technology into account, the best security is the one done with t

Even so, you'll have better luck if you understand how it works. Then you'll know to send the ninjas to break into the right cabinet and photograph the pages of random numbers for later use. Historically, OTP has been broken, when the pads were created with a biased RNG.

Everything is breakable, and knowledge allows you to hurt anything more effectively.

I just stop reading at this point. Perhaps saying that it is "thought to be secure at the current state of knowledge", but if there's one thing we should have learned already, it's that nothing is absolute.

Suppose Eve inserts a resistor in the transmission line. Now she can measure two voltages instead of one, and I'm pretty sure the difference in standard deviation will reveal the choice of resistors at each end of the line.

If Eve fears that her resistor might be detected, she can use the intrinsic resistance of the wire instead. Unless we assume superconducting transmission lines...

Nice try, though. This is probably related to the issue of determining who is talking when eavesdropping on a two-wire tele

A classical counterpart of quantum criptography... How could anyone imagine researching such a thing?

Of course, the process is so weak that I can alread imagine a way of breaking it: One could insert low intensity pseudo-random noise (that mixes with the termal noise) and measure the current. He'll be able to get near half the bits this way.

The author is also a bit naive, assuming that the resistence changes will be imediate. Since that is impossible, one can insert some current into the system during the

His PhD on solid state physics makes him an as good criptography expert as my current grad on computer vision (at most). Want a proof? Read my post, his proposal is at least as flawed as quantum criptography.

I read your post. His PhD is solidstate physics makes him more than qualified to talk about this sort of thing. You on the other hand are NOT. You don't even know what cryptography means OR how to spell it. This has nothing to do with cyphers and everything to do with setting up a physically secure

The thermal noise in the circuit will limit both the rate of data exchange and the confidence that a tap will be detected (or a false positive.) Over a long distance, the quality of the connection will be an important factor.

There is also the slight problem of the common clock which must be available at each end. Somehow both sides need to be synchronised which implies either quite expensive atomic clocks or a side channel containing the information. Either limits the practibility of the idea.

For years, there has been one encryption scheme that has been known to be 100% secure (at least against a simple cipertext-only attack): the one-time pad. This is most often (but not necessarily) implemented as a simple XOR between bits in a key stream and bits in the text to be encrypted. The receiver decrypts the message by re-XORing the received bits with the same key stream to retrieve the original data.

As I mentioned, this is 100% secure, and any reasonably well-written book on cryptography will confirm that. To be 100% secure, however, the keystream must be as large as the data being encrypted, and must be absolutely random -- any degree of predictability can lead to breakage (e.g. search for "Venona").

The biggest shortcoming of a one-time pad is the key: first you have to generate an absolutely random key, and then you have to distribute that key to the people at both ends of the communication securely. The usual problem is that if you can communicate that key reliably, then you could normally communicate the data reliably just as easily. As such, a one-time pad is typically only useful in fairly limited situations like a spy receiving a DVD-ROM full of key material during a f2f visit, then using the key out in the field. For more typical scenarios it's rarely useful though.

This scheme seems to cure one, but definitely not both of those problems. It's basically a way of using two one-time pads simultaneously, so that the receiver can deduce the sender's key at any point, but what is transmitted over the wire basically depends on both his own key and his partner's key (not exactly an XOR, but a bit like it). If all the attacker does is collect the voltages on the line, I wouldn't be too surprised if this really is secure.

That doesn't mean there aren't any shortcomings though. One obvious problem is that both ends still have to generate absolutely, 100% random keys. Another problem is a man in the middle attack. If the pattern of resistor changes can be predicted, then the attacker only has to find the value once at one end to break all subsequent communications over the channel. Since the scheme doesn't (at least by itself) provide any kind of confirmation of who's on the other end of a line, a man in the middle has a pretty easy time with things.

Another approach would be to tap into the line at two points, preferably widely separated. Since the current only travels over the wire at (about) 2/3rds the speed of light, when one end changes a resistor, the change in voltage/current will be detectable first closer to that end, and some time later at the other end. Two widely separated measurments would allow an attacker to figure out which end changed resistors at any given time. Ultimately, the degree of separation does't even have to be particularly huge -- larger separation just reduces the precision of timing necessary, but even one foot apart gives about a nanosecond.

In this case, there is no need to transfer keying material. The receiver injects the random noise himself, so it's not really related to the one time pad, it's more like the idea of public key cryptography (in a very indirect way, before criticizing please read Ellis' paper [cesg.gov.uk]).

But you're right. Man in the middle would work like a charm, and that propagation method might work too (not my area of expertise).

In that link you cited the reciever only is injecting noise, in this system both sides are generating a stream of random bits.It does have similarity in that it combines the knowledge of what random choices the reciever made along with the resulting line condition, but the end result is the construction of a OTP that is mirrored on both ends. (Literally mirrored, both ends will have an inverse copy of each other, all the bits will be NOT'ed).

I have quite a high fever, so this might not be as inspired as I think..;)But the syncronization of the clocks initially has to be very precise. In fact, so precise that a lot of information has to be sent over to get it exact. It would be physically beautiful if it turns out that in order to get perfect synchronization you'd have to exchange enough information initially to make it a one-time pad. (and thus useless)OTH, the method is not really an encryption scheme, so perhaps it would be surprising if the

Peeking at the paper, it seems that the receiver somehow introduces noise to the channel, garbling the sender's signal. He then recovers the message by deducing what the sender chose because he knows what his noise is.A similar principle was used about 50 years ago, although maybe using a different method. I've not seen the paper about this device (Bell project C43), but the Ellis Paper on non-secret encryption [cesg.gov.uk] (PDF, sorry) makes a brief description of the device in item 6.

Just send someone an OTP [wikipedia.org] DVD generated by hotbits [fourmilab.ch] and keep a copy for yourself. Use the DVD only for key exchange and use AES for the data stream. No one can crack a one-time pad unless you make a mistake. This won't work for e-commerce, but it works wonderfully for terrorist and spies. For the extra paranoid, use the OTP data for encryption, but you'll eventually need a new one (re-using OTP data renders it crackable).

Are you on crack? The article discusses an analog encryption scheme for transfer of information along physical lines. On the other hand, VIA Padlock is a hardware implementation of a random number generator and some encryption algorithms.

Apart from having used the word "encryption" in the description of both of them, they have about as much to do with each other as a shoe and a condom (both are pieces of "clothing").

Eh? Much like quantum communication systems, this is aimed at providing secure point-to-point communications. Almost everything you said above is utterly irrelevant to the question at hand. It doesn't solve any of the problems you bring up because it isn't meant to.
Moving to hydrogen powered cars doesn't solve problems of secure Internet communcations, either. That doesn't make them a step backwards...

If you are to guess a 50/50 state without any clues whatever, why listen in at all? You know it has to be a 1 or a 0, you don't need to actually be connected to the system for that. So just guess away. If it works, you have just cracked every conceivable system of encryption, and no tools or physical access to the message necessary!As for "several thousand combinations"... After the first 32 bits of information you have 4,294,967,296 possibilities, so I hope you are a good guesser.:-)

Eavesdropper wraps a wire around the communication wire, to measure the signal by induction. Would this be detectable? Or would this allow undetectable interception?

Yes, that would be detectable. For the same reason that we need a lot of falling water to turn the generators in hydro power plants. The energy (signal) in your wrapped wire does not come for free. It reduces the energy in the communication wire and is thus detectable.

Another way to see it: if the signal in your induction pickup were truly undetectable then we could wrap billions of similar induction pickups around the communications wire and generate electricity "too cheap to meter".

But apparently he has not read serious cryptography texts. This stuff he presents is seriously flawed and devoid of any practical applicability. Others have already pointed out many of the theoretical flaws, so I'll add a practical one: except for very special cases nobody uses copper wires any more for a phone call from source to destination. Copper only makes up what they traditionally call the "last mile", and that mile si rapidly shrinking these days.Also there are numerous active network elements invo